16 files changed, 203 insertions, 171 deletions

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 3d188f9a0..91a91a9fd 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -9095,7 +9095,10 @@ static ndpi_category_match category_match[] = {
    { ".playercdn.net", "\\.playercdn" TLD,                        NDPI_PROTOCOL_CATEGORY_STREAMING },
    { "showmax.com", "showmax" TLD,                                NDPI_PROTOCOL_CATEGORY_STREAMING },
    { "showmax.akamaized.net", "showmax\\.akamaized" TLD,          NDPI_PROTOCOL_CATEGORY_STREAMING },
-
+   { "skyq.sky.com", "skyq\\.sky\\.com" TLD,                      NDPI_PROTOCOL_CATEGORY_STREAMING },
+   { "iptv.sky.", "iptv\\.sky\\." TLD,                            NDPI_PROTOCOL_CATEGORY_STREAMING },
+   { "pcdn.skycdn.", "pcdn\\.skycdn\\." TLD,                      NDPI_PROTOCOL_CATEGORY_STREAMING },
+   
    /* Hulu Streaming services AS23286 */
    { "8.28.124.0/24",         NULL,                               NDPI_PROTOCOL_CATEGORY_STREAMING },
    { "8.28.125.0/24",         NULL,                               NDPI_PROTOCOL_CATEGORY_STREAMING },
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7138ab9c1..40bf9ae20 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1766,7 +1766,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			    1 /* no subprotocol */, no_master,
 			    no_master, "Bloomberg", NDPI_PROTOCOL_CATEGORY_NETWORK,
 			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
-			    ndpi_build_default_ports(ports_b, 0,   0, 0, 0, 0) /* UDP */);    
+			    ndpi_build_default_ports(ports_b, 0,   0, 0, 0, 0) /* UDP */);
     ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CAPWAP,
 			    1 /* no subprotocol */, no_master,
 			    no_master, "CAPWAP", NDPI_PROTOCOL_CATEGORY_NETWORK,
@@ -1950,7 +1950,7 @@ static patricia_node_t* add_to_ptree(patricia_tree_t *tree, int family,
 /* ******************************************* */
 
 /*
-  Load a file containing IPv4 addresses in CIDR format as 'protocol_id' 
+  Load a file containing IPv4 addresses in CIDR format as 'protocol_id'
 
   Return: the number of entries loaded or -1 in case of error
 */
@@ -1960,7 +1960,7 @@ int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str,
   FILE *fd;
   int len;
   u_int num_loaded = 0;
-  
+
   fd = fopen(path, "r");
 
   if(fd == NULL) {
@@ -1985,9 +1985,9 @@ int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str,
     if(addr) {
       struct in_addr pin;
       patricia_node_t *node;
-      
+
       cidr = strtok_r(NULL, "\n", &saveptr);
-      
+
       pin.s_addr = inet_addr(addr);
       if((node = add_to_ptree(ndpi_str->protocols_ptree, AF_INET,
 			      &pin, cidr ? atoi(cidr) : 32 /* bits */)) != NULL)
@@ -2013,7 +2013,7 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str,
 
     if(skip_tor_hosts && (host_list[i].value == NDPI_PROTOCOL_TOR))
       continue;
-	
+
     pin.s_addr = htonl(host_list[i].network);
     if((node = add_to_ptree(ptree, AF_INET,
 			    &pin, host_list[i].cidr /* bits */)) != NULL)
@@ -2307,7 +2307,7 @@ void ndpi_finalize_initalization(struct ndpi_detection_module_struct *ndpi_str)
       automa = &ndpi_str->impossible_bigrams_automa;
       break;
     }
-    
+
     ac_automata_finalize((AC_AUTOMATA_t*)automa->ac_automa);
     automa->ac_automa_finalized = 1;
   }
@@ -3509,7 +3509,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif
-  
+
   /* ----------------------------------------------------------------- */
 
   ndpi_str->callback_buffer_size = a;
@@ -4055,22 +4055,24 @@ void check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_str,
 	func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func;
   }
 
-  for(a = 0; a < ndpi_str->callback_buffer_size_udp; a++) {
-    if((func != ndpi_str->callback_buffer_udp[a].func)
-       && (ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask & *ndpi_selection_packet) ==
-       ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask
-       && NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask,
-			       ndpi_str->callback_buffer_udp[a].excluded_protocol_bitmask) == 0
-       && NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_udp[a].detection_bitmask,
-			       detection_bitmask) != 0) {
-      ndpi_str->callback_buffer_udp[a].func(ndpi_str, flow);
-
-      // NDPI_LOG_DBG(ndpi_str, "[UDP,CALL] dissector of protocol as callback_buffer idx =  %d\n",a);
-      if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
-	break; /* Stop after detecting the first protocol */
-    } else
-      if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_str,
-					      "[UDP,SKIP] dissector of protocol as callback_buffer idx =  %d\n",a);
+  if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
+    for(a = 0; a < ndpi_str->callback_buffer_size_udp; a++) {
+      if((func != ndpi_str->callback_buffer_udp[a].func)
+	 && (ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask & *ndpi_selection_packet) ==
+	 ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask
+	 && NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask,
+				 ndpi_str->callback_buffer_udp[a].excluded_protocol_bitmask) == 0
+	 && NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_udp[a].detection_bitmask,
+				 detection_bitmask) != 0) {
+	ndpi_str->callback_buffer_udp[a].func(ndpi_str, flow);
+	
+	// NDPI_LOG_DBG(ndpi_str, "[UDP,CALL] dissector of protocol as callback_buffer idx =  %d\n",a);
+	if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
+	  break; /* Stop after detecting the first protocol */
+      } else
+	if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_str,
+						"[UDP,SKIP] dissector of protocol as callback_buffer idx =  %d\n",a);
+    }
   }
 }
 
@@ -4191,7 +4193,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
   ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED };
 
   *protocol_was_guessed = 0;
-  
+
   if(flow == NULL)
     return(ret);
 
@@ -4298,10 +4300,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
       ret.app_protocol = NDPI_PROTOCOL_HANGOUT_DUO;
     }
   }
-  
+
   if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN)
-    ndpi_fill_protocol_category(ndpi_str, flow, &ret);  
-  
+    ndpi_fill_protocol_category(ndpi_str, flow, &ret);
+
   return(ret);
 }
 
@@ -4697,7 +4699,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
     if(flow->check_extra_packets) {
       ndpi_process_extra_packet(ndpi_str, flow, packet, packetlen, current_tick_l, src, dst);
       /* Update in case of new match */
-      ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
+      ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0], ret.category = flow->category;;
       return(ret);
     } else
       goto ret_protocols;
@@ -4796,7 +4798,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
       if(flow->packet.iph) {
 	if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
 	  u_int8_t protocol_was_guessed;
-	    
+
 	  /* ret.master_protocol = flow->guessed_protocol_id , ret.app_protocol = flow->guessed_host_protocol_id; /\* ****** *\/ */
 	  ret = ndpi_detection_giveup(ndpi_str, flow, 0, &protocol_was_guessed);
 	}
@@ -4816,34 +4818,33 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
 	  addr.s_addr = flow->packet.iph->daddr;
 	  flow->guessed_host_protocol_id = ndpi_network_ptree_match(ndpi_str, &addr);
 	}
+
+	/*
+	  We could implement a shortcut here skipping dissectors for
+	  protocols we have identified by other means such as with the IP
+
+	  However we do NOT stop here and skip invoking the dissectors
+	  because we want to dissect the flow (e.g. dissect the TLS)
+	  and extract metadata.
+	 */
+#if SKIP_INVOKING_THE_DISSECTORS
+	if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
+	  /*
+	    We have identified a protocol using the IP address so
+	    it is not worth to dissect the traffic as we already have
+	    the solution
+	  */
+	  ret.master_protocol = flow->guessed_protocol_id,
+	    ret.app_protocol = flow->guessed_host_protocol_id;
+	}
+#endif
       }
     }
   }
 
   if(flow->guessed_host_protocol_id > NDPI_MAX_SUPPORTED_PROTOCOLS) {
     /* This is a custom protocol and it has priority over everything else */
-    ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, ret.app_protocol = flow->guessed_host_protocol_id;
-
-    if(flow->packet.tcp && (ret.master_protocol == NDPI_PROTOCOL_UNKNOWN)) {
-      /* Minimal guess for HTTP/SSL-based protocols */
-      int i;
-
-      for(i=0; i<2; i++) {
-	u_int16_t port = (i == 0) ? ntohs(flow->packet.tcp->dest) : ntohs(flow->packet.tcp->source);
-
-	switch(port) {
-	case 80:
-	  ret.master_protocol = NDPI_PROTOCOL_HTTP;
-	  break;
-	case 443:
-	  ret.master_protocol = NDPI_PROTOCOL_TLS; /* QUIC could also match */
-	  break;
-	}
-
-	if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN)
-	  break;
-      }
-    }
+    ret.master_protocol = flow->guessed_protocol_id, ret.app_protocol = flow->guessed_host_protocol_id;
 
     ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet);
     ndpi_fill_protocol_category(ndpi_str, flow, &ret);
@@ -4893,7 +4894,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
      && (flow->guessed_protocol_id == 0)
      ) {
     u_int8_t protocol_was_guessed;
-    
+
     /*
       This is a TCP flow
       - whose first packet is NOT a SYN
@@ -4905,6 +4906,13 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
     ret = ndpi_detection_giveup(ndpi_str, flow, 0, &protocol_was_guessed);
   }
 
+  if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN)
+     && (ret.app_protocol != NDPI_PROTOCOL_UNKNOWN)
+     && (flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) {
+    ret.master_protocol = ret.app_protocol;
+    ret.app_protocol = flow->guessed_host_protocol_id;
+  }
+  
  invalidate_ptr:
   /*
      Invalidate packet memory to avoid accessing the pointers below
@@ -5169,7 +5177,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
 
 	while((packet->content_line.len > 0) && (packet->content_line.ptr[0] == ' '))
 	  packet->content_line.len--, packet->content_line.ptr++;
-	
+
         packet->http_num_headers++;
       }
       /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */
@@ -5186,14 +5194,14 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
 	char separator[] = { ';', '\r', '\0' };
 	int i;
 
-	for(i=0; separator[i] != '\0'; i++) {	
+	for(i=0; separator[i] != '\0'; i++) {
 	  char *c = memchr((char*)packet->content_line.ptr, separator[i], packet->content_line.len);
-	  
+
 	  if(c != NULL)
 	    packet->content_line.len = c - (char*)packet->content_line.ptr;
 	}
       }
-      
+
       /* "Accept:" header line in HTTP request. */
       if(packet->line[packet->parsed_lines].len > 8
 	 && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Accept: ", 8) == 0) {
@@ -6202,7 +6210,7 @@ static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_
   if((previous_proto == NDPI_PROTOCOL_UNKNOWN)
      || (previous_proto == new_proto))
     return(0);
-  
+
   switch(previous_proto) {
   case NDPI_PROTOCOL_WHATSAPP_CALL:
   case NDPI_PROTOCOL_WHATSAPP_FILES:
@@ -6307,7 +6315,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_
 						      flow, string_to_match, string_to_match_len,
 						      master_protocol_id, ret_match, 1);
   unsigned long id = ret_match->protocol_category;
-  
+
   if(ndpi_get_custom_category_match(ndpi_str, string_to_match, string_to_match_len, &id) != -1) {
     if(id != -1) {
       flow->category = ret_match->protocol_category = id;
@@ -6593,15 +6601,15 @@ const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) {
   case ndpi_l4_proto_unknown:
     return("");
     break;
-    
+
   case ndpi_l4_proto_tcp_only:
     return("TCP");
     break;
-    
+
   case ndpi_l4_proto_udp_only:
     return("UDP");
     break;
-    
+
   case ndpi_l4_proto_tcp_and_udp:
     return("TCP/UDP");
     break;
@@ -6613,7 +6621,7 @@ const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) {
 /* ******************************************************************** */
 
 ndpi_l4_proto_info ndpi_get_l4_proto_info(struct ndpi_detection_module_struct *ndpi_struct,
-					  u_int16_t ndpi_proto_id) {  
+					  u_int16_t ndpi_proto_id) {
   if(ndpi_proto_id < ndpi_struct->ndpi_num_supported_protocols) {
     u_int16_t idx = ndpi_struct->proto_defaults[ndpi_proto_id].protoIdx;
     NDPI_SELECTION_BITMASK_PROTOCOL_SIZE bm = ndpi_struct->callback_buffer[idx].ndpi_selection_bitmask;
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 6b26a7dc3..4382879d0 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -33,7 +33,8 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc
 
 /* *********************************************** */
 
-static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_struct,
+				      struct ndpi_flow_struct *flow) {
   ndpi_search_http_tcp(ndpi_struct, flow);
 
 #ifdef HTTP_DEBUG
@@ -52,9 +53,46 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_
 
 /* *********************************************** */
 
+/* https://www.freeformatter.com/mime-types-list.html */
+static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_module_struct *ndpi_struct,
+							struct ndpi_flow_struct *flow) {
+  struct ndpi_packet_struct *packet = &flow->packet;
+
+  if(packet->content_line.len > 0) {
+    u_int app_len = sizeof("application");
+
+    if(packet->content_line.len > app_len) {
+      if(ndpi_strncasestr((const char *)&packet->content_line.ptr[app_len], "mpeg",
+			  packet->content_line.len-app_len) != NULL) {
+	flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING;
+	return(flow->category);
+      }
+    }
+
+    switch(packet->content_line.ptr[0]) {
+    case 'a':
+      if(strncasecmp((const char *)packet->content_line.ptr, "audio",
+		     ndpi_min(packet->content_line.len, 5)) == 0)
+	flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA;
+      break;
+      
+    case 'v':
+      if(strncasecmp((const char *)packet->content_line.ptr, "video",
+		     ndpi_min(packet->content_line.len, 5)) == 0)
+	flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA;
+      break;
+    }
+  }
+
+  return(flow->category);
+}
+
+/* *********************************************** */
+
 static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 					 struct ndpi_flow_struct *flow,
-					 u_int16_t category) {
+					 u_int16_t http_protocol,
+					 ndpi_protocol_category_t category) {
 #ifdef HTTP_DEBUG
   printf("=> %s()\n", __FUNCTION__);
 #endif
@@ -66,30 +104,36 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
   ndpi_search_tcp_or_udp(ndpi_struct, flow);
 
   /* If no custom protocol has been detected */
-  if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
-    ndpi_int_reset_protocol(flow);
-    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP);
-  } else
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN);
+  if((flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) || (http_protocol != NDPI_PROTOCOL_HTTP))
+    flow->guessed_host_protocol_id = http_protocol;
+
+  category = ndpi_http_check_content(ndpi_struct, flow);
+  ndpi_int_reset_protocol(flow);
+  ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP);
 
   /* This is necessary to inform the core to call this dissector again */
   flow->check_extra_packets = 1;
   flow->max_extra_packets_to_check = 5;
   flow->extra_packets_func = ndpi_search_http_tcp_again;
-  flow->http_detected = 1, flow->guessed_category = category;
+  flow->http_detected = 1, flow->guessed_category = flow->category = category;
 }
 
+/* ************************************************************* */
+
 static void rtsp_parse_packet_acceptline(struct ndpi_detection_module_struct
 					 *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &flow->packet;
 
-  if(packet->accept_line.len >= 28 && memcmp(packet->accept_line.ptr, "application/x-rtsp-tunnelled", 28) == 0) {
+  if((packet->accept_line.len >= 28)
+     && (memcmp(packet->accept_line.ptr, "application/x-rtsp-tunnelled", 28) == 0)) {
     NDPI_LOG_INFO(ndpi_struct, "found RTSP accept line\n");
-    ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTSP);
+    ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTSP, NDPI_PROTOCOL_CATEGORY_MEDIA);
   }
 }
 
+/* ************************************************************* */
+
 static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct,
 			     struct ndpi_flow_struct *flow, char *ua) {
   if (    !strcmp(ua, "Windows NT 5.0"))  ua = "Windows 2000";
@@ -110,7 +154,10 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct,
   }
 }
 
-static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+/* ************************************************************* */
+
+static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndpi_struct,
+				 struct ndpi_flow_struct *flow) {
   if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) {
     char *double_col = strchr((char*)flow->host_server_name, ':');
     ndpi_protocol_match_result ret_match;
@@ -124,13 +171,14 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc
   }
 }
 
+/* ************************************************************* */
+
 /**
    NOTE
    ndpi_parse_packet_line_info is in ndpi_main.c
 */
 static void check_content_type_and_change_protocol(struct ndpi_detection_module_struct *ndpi_struct,
 						   struct ndpi_flow_struct *flow) {
-
   struct ndpi_packet_struct *packet = &flow->packet;
 
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN);
@@ -142,13 +190,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
   /* PPStream */
   if(flow->l4.tcp.ppstream_stage > 0 && flow->iqiyi_counter == 0) {
     NDPI_LOG_INFO(ndpi_struct, "found PPStream\n");
-    /* ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM); */
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_HTTP);
-  }
-  else if(flow->iqiyi_counter > 0) {
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM,
+			       NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_STREAMING);
+  } else if(flow->iqiyi_counter > 0) {
     NDPI_LOG_INFO(ndpi_struct, "found iQiyi\n");
-    /* ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_IQIYI); */
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IQIYI, NDPI_PROTOCOL_HTTP);
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IQIYI,
+			       NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_STREAMING);
   }
 #endif
 
@@ -156,8 +203,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
   /* 1KXUN */
   if(flow->kxun_counter > 0) {
     NDPI_LOG_INFO(ndpi_struct, "found 1kxun\n");
-    /* ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_1KXUN); */
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_1KXUN, NDPI_PROTOCOL_HTTP);
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_1KXUN, NDPI_PROTOCOL_CATEGORY_STREAMING);
   }
 #endif
 
@@ -257,10 +303,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 	      setHttpUserAgent(ndpi_struct, flow, token);
 	  }
 	}
-      }
-      else if(memcmp(ua, "netflix-ios-app", 15) == 0) {
+      } else if(memcmp(ua, "netflix-ios-app", 15) == 0) {
 	NDPI_LOG_INFO(ndpi_struct, "found netflix\n");
-      	ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_NETFLIX);
+      	ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_STREAMING);
       	return;
       }
     }
@@ -294,7 +339,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
       flow->host_server_name[len] = '\0';
       flow->extra_packets_func = NULL; /* We're good now */
     }
-    
+
     flow->server_id = flow->dst;
 
     if(packet->forwarded_line.ptr) {
@@ -305,7 +350,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
       }
     }
 
-    parseHttpSubprotocol(ndpi_struct, flow);
+    ndpi_http_parse_subprotocol(ndpi_struct, flow);
 
     /**
        check result of host subprotocol detection
@@ -344,7 +389,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
       if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) {
 	NDPI_LOG_INFO(ndpi_struct, "found HTTP/%s\n",
 		      ndpi_get_proto_name(ndpi_struct, packet->detected_protocol_stack[0]));
-	ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]);
+	ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0], NDPI_PROTOCOL_CATEGORY_WEB);
 	return; /* We have identified a sub-protocol so we're done */
       }
     }
@@ -352,7 +397,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 
 #if 0
   if(flow->http_detected)
-    parseHttpSubprotocol(ndpi_struct, flow);
+    ndpi_http_parse_subprotocol(ndpi_struct, flow);
 #endif
 
   if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
@@ -374,7 +419,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 
     if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) {
       int len = packet->content_line.len + 1;
-      
+
       flow->http.content_type = ndpi_malloc(len);
       if(flow->http.content_type) {
 	strncpy(flow->http.content_type, (char*)packet->content_line.ptr,
@@ -382,7 +427,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 	flow->http.content_type[packet->content_line.len] = '\0';
       }
     }
-    
+
     if(flow->http_detected) {
       ndpi_protocol_match_result ret_match;
 
@@ -392,13 +437,17 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     }
   }
 
-  ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]);
+  ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0], NDPI_PROTOCOL_CATEGORY_WEB);
 }
 
+/* ************************************************************* */
+
 static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
   /* Add here your paylod code check */
 }
 
+/* ************************************************************* */
+
 /**
  * Functions to check whether the packet begins with a valid http request
  * @param ndpi_struct
@@ -529,7 +578,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
           </cross-domain-policy>
         */
       ookla_found:
-        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN);
+        ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_CATEGORY_WEB);
 
 	if(ndpi_struct->ookla_cache == NULL)
 	  ndpi_struct->ookla_cache = ndpi_lru_cache_init(1024);
@@ -593,34 +642,12 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 	goto ookla_found;
       }
 
-#if OBSOLETE
-      /* Check for additional field introduced by Steam */
-      int x = 1;
-      if(packet->line[x].len >= 11 && (memcmp(packet->line[x].ptr, "x-steam-sid", 11)) == 0) {
-	NDPI_LOG_INFO(ndpi_struct, "found STEAM\n");
-	ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_STEAM);
-	check_content_type_and_change_protocol(ndpi_struct, flow);
-	return;
-      }
-
-      /* Check for additional field introduced by Facebook */
-      x = 1;
-      while(packet->line[x].len != 0) {
-	if(packet->line[x].len >= 12 && (memcmp(packet->line[x].ptr, "X-FB-SIM-HNI", 12)) == 0) {
-	  NDPI_LOG_INFO(ndpi_struct, "found FACEBOOK\n");
-	  ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_FACEBOOK);
-	  check_content_type_and_change_protocol(ndpi_struct, flow);
-	  return;
-	}
-	x++;
-      }
-#endif
-
 #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI)
       /* check PPStream protocol or iQiyi service
 	 (iqiyi is delivered by ppstream) */
       // substring in url
-      if(ndpi_strnstr((const char*) &packet->payload[filename_start], "iqiyi.com", (packet->payload_packet_len - filename_start)) != NULL) {
+      if(ndpi_strnstr((const char*) &packet->payload[filename_start], "iqiyi.com",
+		      (packet->payload_packet_len - filename_start)) != NULL) {
 	if(flow->kxun_counter == 0) {
 	  flow->l4.tcp.ppstream_stage++;
 	  flow->iqiyi_counter++;
@@ -662,14 +689,14 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
       if((packet->http_url_name.len > 7)
 	 && (!strncmp((const char*) packet->http_url_name.ptr, "http://", 7))) {
         NDPI_LOG_INFO(ndpi_struct, "found HTTP_PROXY\n");
-        ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY);
+        ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY, NDPI_PROTOCOL_CATEGORY_WEB);
         check_content_type_and_change_protocol(ndpi_struct, flow);
       }
 
       if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) {
 	/* nathan@getoffmalawn.com */
         NDPI_LOG_INFO(ndpi_struct, "found HTTP_CONNECT\n");
-        ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT);
+        ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT, NDPI_PROTOCOL_CATEGORY_WEB);
         check_content_type_and_change_protocol(ndpi_struct, flow);
       }
 
@@ -684,7 +711,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
            in 99.99% of the cases is like that.
         */
 
-	ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
+	ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
 	flow->http_detected = 1;
 	NDPI_LOG_DBG2(ndpi_struct,
 		      "HTTP START Found, we will look further for the response...\n");
@@ -712,7 +739,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
       NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA);
 
     /**
-       At first check, if this is for sure a response packet (in another direction. If not, if HTTP is detected do nothing now and return,
+       At first check, if this is for sure a response packet
+       (in another direction. If not, if HTTP is detected do nothing now and return,
        otherwise check the second packet for the HTTP request
     */
     if((flow->l4.tcp.http_stage - packet->packet_direction) == 1) { /* Expected a response package */
@@ -746,7 +774,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 	 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
 
         NDPI_LOG_INFO(ndpi_struct, "found HTTP\n");
-        ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
+        ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
         check_content_type_and_change_protocol(ndpi_struct, flow);
 
         NDPI_LOG_DBG2(ndpi_struct,
@@ -768,7 +796,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
     if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) {
       /* In Apache if you do "GET /\n\n" the response comes without any header */
       NDPI_LOG_INFO(ndpi_struct, "found HTTP. (apache)\n");
-      ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
+      ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
       check_content_type_and_change_protocol(ndpi_struct, flow);
       return;
     }
@@ -776,7 +804,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
     /* If we already detected the HTTP request, we can add the connection and then check for the sub-protocol */
     if(flow->http_detected) {
       NDPI_LOG_INFO(ndpi_struct, "found HTTP\n");
-      ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
+      ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
     }
 
     /* Parse packet line and we look for the subprotocols */
diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c
index a03ed3b43..126dadc4c 100644
--- a/src/lib/protocols/ntp.c
+++ b/src/lib/protocols/ntp.c
@@ -58,8 +58,8 @@ void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struc
       return;
     }
   }
-  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 9d22a66db..23c47d7cd 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1400,19 +1400,16 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct,
   u_int8_t ret, skip_cert_processing = 0;
 
 #ifdef DEBUG_TLS
-  printf("%s()\n", __FUNCTION__);  
+  printf("==>> %u [len: %u][version: %u]\n",
+	 flow->guessed_host_protocol_id,
+	 packet->payload_packet_len,
+	 flow->protos.stun_ssl.ssl.ssl_version);
 #endif
   
   if(packet->udp != NULL) {
     /* DTLS dissector */
     int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow);
-
-#ifdef DEBUG_TLS
-    printf("==>> %u [rc: %d][len: %u][%s][version: %u]\n",
-	   flow->guessed_host_protocol_id, rc, packet->payload_packet_len, flow->protos.stun_ssl.ssl.ja3_server,
-	   flow->protos.stun_ssl.ssl.ssl_version);
-#endif
-
+    
     if((rc == 0) && (flow->protos.stun_ssl.ssl.ssl_version != 0)) {
       flow->guessed_protocol_id = NDPI_PROTOCOL_TLS;
 
diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out
index e2d5cea15..7cede1bfa 100644
--- a/tests/result/1kxun.pcap.out
+++ b/tests/result/1kxun.pcap.out
@@ -2,7 +2,6 @@ Unknown	24	6428	14
 DNS	5	638	2
 HTTP	945	530967	19
 MDNS	1	82	1
-NTP	1	90	1
 NetBIOS	31	3589	8
 SSDP	143	36951	13
 DHCP	24	8208	5
@@ -12,6 +11,7 @@ TLS	105	21914	7
 DHCPV6	10	980	3
 Facebook	19	6840	2
 Google	12	991	4
+Apple	1	90	1
 LLMNR	89	6799	47
 
 JA3 Host Stats: 
@@ -19,7 +19,7 @@ JA3 Host Stats:
 	1	 192.168.5.16             	 2      
 
 
-	1	TCP 192.168.115.8:49613 <-> 183.131.48.144:80 [proto: 7/HTTP][cat: Web/5][260 pkts/15070 bytes <-> 159 pkts/168623 bytes][Goodput ratio: 6.7/94.9][51.74 sec][Host: 183.131.48.144][bytes ratio: -0.836 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 189.9/321.4 862/665 235.6/194.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 58.0/1060.5 557/1078 44.0/127.3][URL: 183.131.48.144/vlive.qqvideo.tc.qq.com/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE656][StatusCode: 206][ContentType: video/mp4][UserAgent: ][PLAIN TEXT (GET /vlive.qq)]
+	1	TCP 192.168.115.8:49613 <-> 183.131.48.144:80 [proto: 7/HTTP][cat: Media/1][260 pkts/15070 bytes <-> 159 pkts/168623 bytes][Goodput ratio: 6.7/94.9][51.74 sec][Host: 183.131.48.144][bytes ratio: -0.836 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 189.9/321.4 862/665 235.6/194.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 58.0/1060.5 557/1078 44.0/127.3][URL: 183.131.48.144/vlive.qqvideo.tc.qq.com/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE656][StatusCode: 206][ContentType: video/mp4][UserAgent: ][PLAIN TEXT (GET /vlive.qq)]
 	2	TCP 192.168.115.8:49600 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][18 pkts/1722 bytes <-> 51 pkts/61707 bytes][Goodput ratio: 42.1/95.5][45.37 sec][Host: pic.1kxun.com][bytes ratio: -0.946 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3472.5/1028.9 44994/45054 11986.3/6713.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 95.7/1209.9 416/1314 113.3/325.4][URL: pic.1kxun.com/video_kankan/images/videos/18283-jfyj3.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /video)]
 	3	TCP 192.168.115.8:49601 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][18 pkts/2440 bytes <-> 43 pkts/49237 bytes][Goodput ratio: 59.2/95.2][45.30 sec][Host: pic.1kxun.com][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3465.9/3.9 44999/62 11989.6/12.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 135.6/1145.0 415/1314 149.1/400.0][URL: pic.1kxun.com/video_kankan/images/videos/3578-ywzj.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /video)]
 	4	TCP 192.168.115.8:49602 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][24 pkts/2786 bytes <-> 41 pkts/46203 bytes][Goodput ratio: 51.7/95.1][45.33 sec][Host: pic.1kxun.com][bytes ratio: -0.886 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2648.9/11.6 44748/253 10524.9/44.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.1/1126.9 415/1314 133.3/398.1][URL: pic.1kxun.com/video_kankan/images/videos/3713-ydm.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /video)]
@@ -127,7 +127,7 @@ JA3 Host Stats:
 	106	UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 53.8/0.0][< 1 sec][Host: sanji-lifebook-][PLAIN TEXT ( FDEBEOEKEJ)]
 	107	UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 31.5/0.0][< 1 sec][Host: charming-pc][PLAIN TEXT (charming)]
 	108	UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 31.5/0.0][< 1 sec][Host: charming-pc][PLAIN TEXT (charming)]
-	109	UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes][Goodput ratio: 52.7/0.0][< 1 sec]
+	109	UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9.140/NTP.Apple][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes][Goodput ratio: 52.7/0.0][< 1 sec]
 	110	UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48.2/0.0][< 1 sec][PLAIN TEXT (googlecast)]
 	111	UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Goodput ratio: 40.3/0.0][< 1 sec][Host: charming-pc][PLAIN TEXT (charming)]
 	112	UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Goodput ratio: 40.3/0.0][< 1 sec][Host: charming-pc][PLAIN TEXT (charming)]
diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out
index d521cbec5..e4841247f 100644
--- a/tests/result/anyconnect-vpn.pcap.out
+++ b/tests/result/anyconnect-vpn.pcap.out
@@ -11,10 +11,10 @@ ICMPV6	18	2964	2
 Slack	29	4979	2
 Google	2	132	1
 AJP	5	390	1
-Apple	2	297	1
+Apple	7	656	2
 CiscoVPN	33	4378	2
 Amazon	36	3540	3
-ApplePush	11	1325	4
+ApplePush	6	966	3
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
@@ -51,7 +51,7 @@ JA3 Host Stats:
 	28	UDP 10.0.0.227:59582 <-> 75.75.75.75:53 [proto: 5.238/DNS.ApplePush][cat: Cloud/13][1 pkts/92 bytes <-> 1 pkts/323 bytes][Goodput ratio: 53.8/86.7][0.02 sec][Host: 1-courier.sandbox.push.apple.com][PLAIN TEXT (courier)]
 	29	TCP 10.0.0.227:56871 <-> 8.37.103.196:443 [proto: 91/TLS][cat: Web/5][1 pkts/66 bytes <-> 5 pkts/330 bytes][Goodput ratio: 0.0/0.0][20.32 sec][bytes ratio: -0.667 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.0/0.0 0/0 0.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66.0/66.0 66/66 0.0/0.0]
 	30	TCP 10.0.0.227:56916 -> 10.0.0.151:8009 [proto: 139/AJP][cat: Web/5][5 pkts/390 bytes -> 0 pkts/0 bytes][Goodput ratio: 0.0/0.0][5.03 sec]
-	31	TCP 10.0.0.227:56886 <-> 17.57.144.116:5223 [proto: 238/ApplePush][cat: Cloud/13][3 pkts/174 bytes <-> 2 pkts/185 bytes][Goodput ratio: 0.0/28.5][0.02 sec]
+	31	TCP 10.0.0.227:56886 <-> 17.57.144.116:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][3 pkts/174 bytes <-> 2 pkts/185 bytes][Goodput ratio: 0.0/28.5][0.02 sec]
 	32	UDP 10.0.0.151:1900 -> 10.0.0.227:61328 [proto: 12/SSDP][cat: System/18][1 pkts/353 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.9/0.0][< 1 sec][PLAIN TEXT (HTTP/1.1 200 OK)]
 	33	TCP 10.0.0.227:56910 <-> 35.201.124.9:443 [proto: 91/TLS][cat: Web/5][2 pkts/170 bytes <-> 2 pkts/164 bytes][Goodput ratio: 22.2/19.4][0.05 sec]
 	34	UDP 10.0.0.227:62427 <-> 75.75.75.75:53 [proto: 5/DNS][cat: Network/14][1 pkts/84 bytes <-> 1 pkts/242 bytes][Goodput ratio: 49.4/82.3][0.02 sec][Host: detectportal.firefox.com][PLAIN TEXT (detectportal)]
diff --git a/tests/result/mpeg.pcap.out b/tests/result/mpeg.pcap.out
index ee94c2573..8dd4f10eb 100644
--- a/tests/result/mpeg.pcap.out
+++ b/tests/result/mpeg.pcap.out
@@ -1,3 +1,3 @@
 ntop	19	10643	1
 
-	1	TCP 192.168.80.160:55804 <-> 46.101.157.119:80 [proto: 7.26/HTTP.ntop][cat: Network/14][9 pkts/754 bytes <-> 10 pkts/9889 bytes][Goodput ratio: 19.6/93.2][0.18 sec][Host: luca.ntop.org][bytes ratio: -0.858 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.4/5.9 77/41 28.4/14.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/68 83.8/988.9 214/1502 46.2/649.2][URL: luca.ntop.org/0.mp3][StatusCode: 200][ContentType: audio/mpeg][UserAgent: Wget/1.16.3 (darwin14.1.0)][PLAIN TEXT (GET /0.mp)]
+	1	TCP 192.168.80.160:55804 <-> 46.101.157.119:80 [proto: 7.26/HTTP.ntop][cat: Media/1][9 pkts/754 bytes <-> 10 pkts/9889 bytes][Goodput ratio: 19.6/93.2][0.18 sec][Host: luca.ntop.org][bytes ratio: -0.858 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.4/5.9 77/41 28.4/14.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/68 83.8/988.9 214/1502 46.2/649.2][URL: luca.ntop.org/0.mp3][StatusCode: 200][ContentType: audio/mpeg][UserAgent: Wget/1.16.3 (darwin14.1.0)][PLAIN TEXT (GET /0.mp)]
diff --git a/tests/result/nest_log_sink.pcap.out b/tests/result/nest_log_sink.pcap.out
index c8cbf739e..5db8503ec 100644
--- a/tests/result/nest_log_sink.pcap.out
+++ b/tests/result/nest_log_sink.pcap.out
@@ -1,17 +1,18 @@
 DNS	15	1612	1
-NestLogSink	759	116848	13
+NestLogSink	457	44483	6
+Google	302	72365	7
 
-	1	TCP 192.168.242.15:63342 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][37 pkts/14650 bytes <-> 35 pkts/4115 bytes][Goodput ratio: 86.1/54.0][4.71 sec][bytes ratio: 0.561 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4/0 142.2/150.2 1347/1490 250.6/289.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 395.9/117.6 585/733 191.9/107.5][PLAIN TEXT (05CA02AC4414028)]
-	2	TCP 192.168.242.15:63345 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][36 pkts/14613 bytes <-> 35 pkts/4114 bytes][Goodput ratio: 86.4/53.9][4.14 sec][bytes ratio: 0.561 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 131.6/134.1 1166/1477 228.8/290.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 405.9/117.5 584/732 185.3/107.3][PLAIN TEXT (05CA02AC4414028)]
-	3	TCP 192.168.242.15:63351 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][25 pkts/9229 bytes <-> 24 pkts/2916 bytes][Goodput ratio: 85.0/55.4][3.56 sec][bytes ratio: 0.520 (Upload)][IAT c2s/s2c min/avg/max/stddev: 5/0 163.8/174.5 1319/1484 293.5/350.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 369.2/121.5 584/733 204.4/129.6][PLAIN TEXT (05CA02AC4414028)]
-	4	TCP 192.168.242.15:63348 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][25 pkts/9114 bytes <-> 24 pkts/2915 bytes][Goodput ratio: 84.8/55.4][3.42 sec][bytes ratio: 0.515 (Upload)][IAT c2s/s2c min/avg/max/stddev: 10/0 157.7/169.4 1167/1475 265.8/349.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 364.6/121.5 584/732 204.5/129.4][PLAIN TEXT (05CA02AC4414028)]
+	1	TCP 192.168.242.15:63342 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][37 pkts/14650 bytes <-> 35 pkts/4115 bytes][Goodput ratio: 86.1/54.0][4.71 sec][bytes ratio: 0.561 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4/0 142.2/150.2 1347/1490 250.6/289.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 395.9/117.6 585/733 191.9/107.5][PLAIN TEXT (05CA02AC4414028)]
+	2	TCP 192.168.242.15:63345 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][36 pkts/14613 bytes <-> 35 pkts/4114 bytes][Goodput ratio: 86.4/53.9][4.14 sec][bytes ratio: 0.561 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 131.6/134.1 1166/1477 228.8/290.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 405.9/117.5 584/732 185.3/107.3][PLAIN TEXT (05CA02AC4414028)]
+	3	TCP 192.168.242.15:63351 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][25 pkts/9229 bytes <-> 24 pkts/2916 bytes][Goodput ratio: 85.0/55.4][3.56 sec][bytes ratio: 0.520 (Upload)][IAT c2s/s2c min/avg/max/stddev: 5/0 163.8/174.5 1319/1484 293.5/350.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 369.2/121.5 584/733 204.4/129.6][PLAIN TEXT (05CA02AC4414028)]
+	4	TCP 192.168.242.15:63348 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][25 pkts/9114 bytes <-> 24 pkts/2915 bytes][Goodput ratio: 84.8/55.4][3.42 sec][bytes ratio: 0.515 (Upload)][IAT c2s/s2c min/avg/max/stddev: 10/0 157.7/169.4 1167/1475 265.8/349.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 364.6/121.5 584/732 204.5/129.4][PLAIN TEXT (05CA02AC4414028)]
 	5	TCP 192.168.242.15:63343 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][60 pkts/5549 bytes <-> 56 pkts/5094 bytes][Goodput ratio: 36.1/40.5][1799.54 sec][bytes ratio: 0.043 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/16 33934.9/28186.7 60073/60075 29484.2/29644.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 92.5/91.0 585/731 96.8/125.8][PLAIN TEXT (05CA02AC4414028)]
 	6	TCP 192.168.242.15:63352 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][50 pkts/4894 bytes <-> 46 pkts/4392 bytes][Goodput ratio: 39.7/43.3][1508.66 sec][bytes ratio: 0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/17 33170.0/30242.3 60184/60262 29629.6/29816.1][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 97.9/95.5 586/730 105.0/136.5][PLAIN TEXT (05CA02AC4414028)]
 	7	TCP 192.168.242.15:63346 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][41 pkts/4409 bytes <-> 37 pkts/3907 bytes][Goodput ratio: 45.4/48.7][1042.88 sec][bytes ratio: 0.060 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/15 27923.8/26021.8 60088/60136 29300.8/29455.1][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 107.5/105.6 585/731 114.0/150.6][PLAIN TEXT (05CA02AC4414028)]
 	8	TCP 192.168.242.15:63349 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][28 pkts/3254 bytes <-> 24 pkts/3040 bytes][Goodput ratio: 49.8/57.2][602.97 sec][bytes ratio: 0.034 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/14 24649.0/24894.2 60122/60151 29303.3/29368.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 116.2/126.7 584/732 117.5/180.8][PLAIN TEXT (05CA02AC4414028)]
 	9	TCP 192.168.242.15:63350 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][18 pkts/2655 bytes <-> 14 pkts/2499 bytes][Goodput ratio: 61.1/69.6][153.64 sec][bytes ratio: 0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/15 10959.9/13629.3 60124/60155 21488.4/24847.0][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 147.5/178.5 585/731 137.0/222.5][PLAIN TEXT (05CA02AC4414028)]
 	10	TCP 192.168.242.15:63340 <-> 35.174.82.237:11095 [proto: 43/NestLogSink][cat: Cloud/13][42 pkts/2576 bytes <-> 41 pkts/2214 bytes][Goodput ratio: 2.4/0.0][1615.16 sec][bytes ratio: 0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/143 39827.0/40755.2 60071/60122 27934.1/27879.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 61.3/54.0 116/54 8.5/0.0]
-	11	TCP 192.168.242.15:63344 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][11 pkts/2565 bytes <-> 10 pkts/1389 bytes][Goodput ratio: 75.6/60.8][5.29 sec][bytes ratio: 0.297 (Upload)][IAT c2s/s2c min/avg/max/stddev: 61/0 640.5/729.1 2711/3410 865.2/1201.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 233.2/138.9 584/732 216.6/199.2][PLAIN TEXT (05CA02AC4414028)]
-	12	TCP 192.168.242.15:63347 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][10 pkts/1983 bytes <-> 10 pkts/1390 bytes][Goodput ratio: 71.2/60.8][2.81 sec][bytes ratio: 0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 63/0 341.6/348.9 1182/1489 362.6/517.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 198.3/139.0 586/733 195.5/199.5][PLAIN TEXT (05CA02AC4414028)]
-	13	TCP 192.168.242.15:63353 <-> 35.188.154.186:11095 [proto: 43/NestLogSink][cat: Cloud/13][10 pkts/1983 bytes <-> 10 pkts/1389 bytes][Goodput ratio: 71.2/60.8][2.65 sec][bytes ratio: 0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 70/0 321.0/347.6 1162/1502 365.5/527.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 198.3/138.9 586/732 195.5/199.2][PLAIN TEXT (05CA02AC4414028)]
+	11	TCP 192.168.242.15:63344 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][11 pkts/2565 bytes <-> 10 pkts/1389 bytes][Goodput ratio: 75.6/60.8][5.29 sec][bytes ratio: 0.297 (Upload)][IAT c2s/s2c min/avg/max/stddev: 61/0 640.5/729.1 2711/3410 865.2/1201.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 233.2/138.9 584/732 216.6/199.2][PLAIN TEXT (05CA02AC4414028)]
+	12	TCP 192.168.242.15:63347 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][10 pkts/1983 bytes <-> 10 pkts/1390 bytes][Goodput ratio: 71.2/60.8][2.81 sec][bytes ratio: 0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 63/0 341.6/348.9 1182/1489 362.6/517.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 198.3/139.0 586/733 195.5/199.5][PLAIN TEXT (05CA02AC4414028)]
+	13	TCP 192.168.242.15:63353 <-> 35.188.154.186:11095 [proto: 43.126/NestLogSink.Google][cat: Cloud/13][10 pkts/1983 bytes <-> 10 pkts/1389 bytes][Goodput ratio: 71.2/60.8][2.65 sec][bytes ratio: 0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 70/0 321.0/347.6 1162/1502 365.5/527.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 198.3/138.9 586/732 195.5/199.2][PLAIN TEXT (05CA02AC4414028)]
 	14	UDP 192.168.242.15:52849 <-> 192.168.242.1:53 [proto: 5/DNS][cat: Network/14][8 pkts/713 bytes <-> 7 pkts/899 bytes][Goodput ratio: 52.8/67.2][3600.37 sec][Host: weave-logsink.nest.com][bytes ratio: -0.115 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 22/4311 596403.3/515880.4 1795476/1795277 670695.5/701384.1][Pkt Len c2s/s2c min/avg/max/stddev: 82/98 89.1/128.4 101/169 9.2/35.1][PLAIN TEXT (logsink)]
diff --git a/tests/result/nintendo.pcap.out b/tests/result/nintendo.pcap.out
index 98bd3f2e8..34143be84 100644
--- a/tests/result/nintendo.pcap.out
+++ b/tests/result/nintendo.pcap.out
@@ -1,6 +1,6 @@
 ICMP	30	2100	2
-Nintendo	890	320242	12
-Amazon	76	10811	7
+Nintendo	887	319888	11
+Amazon	79	11165	8
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
@@ -23,7 +23,7 @@ JA3 Host Stats:
 	14	UDP 192.168.12.114:55915 <-> 35.158.74.61:10025 [proto: 178/Amazon][cat: Web/5][5 pkts/290 bytes <-> 5 pkts/290 bytes][Goodput ratio: 27.5/27.5][0.06 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.0/0.8 4/3 1.7/1.3][Pkt Len c2s/s2c min/avg/max/stddev: 58/58 58.0/58.0 58/58 0.0/0.0]
 	15	UDP 192.168.12.114:18874 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][cat: Game/8][1 pkts/110 bytes <-> 1 pkts/281 bytes][Goodput ratio: 61.3/84.8][0.03 sec][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][PLAIN TEXT (fb203858ebc)]
 	16	UDP 192.168.12.114:51035 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][cat: Game/8][1 pkts/110 bytes <-> 1 pkts/281 bytes][Goodput ratio: 61.3/84.8][< 1 sec][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][PLAIN TEXT (fb203858ebc)]
-	17	UDP 192.168.12.114:52119 -> 35.158.74.61:33335 [proto: 173/Nintendo][cat: Game/8][3 pkts/354 bytes -> 0 pkts/0 bytes][Goodput ratio: 64.2/0.0][0.00 sec]
+	17	UDP 192.168.12.114:52119 -> 35.158.74.61:33335 [proto: 173.178/Nintendo.Amazon][cat: Game/8][3 pkts/354 bytes -> 0 pkts/0 bytes][Goodput ratio: 64.2/0.0][0.00 sec]
 	18	UDP 192.168.12.114:55915 -> 35.158.74.61:33335 [proto: 178/Amazon][cat: Web/5][3 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 60.2/0.0][0.00 sec][PLAIN TEXT (NATTestId)]
 	19	UDP 192.168.12.114:55915 -> 52.10.205.177:34343 [proto: 178/Amazon][cat: Web/5][1 pkts/298 bytes -> 0 pkts/0 bytes][Goodput ratio: 85.6/0.0][< 1 sec]
 	20	UDP 192.168.12.114:55915 -> 35.158.74.61:33334 [proto: 178/Amazon][cat: Web/5][5 pkts/290 bytes -> 0 pkts/0 bytes][Goodput ratio: 27.5/0.0][0.00 sec]
diff --git a/tests/result/ookla.pcap.out b/tests/result/ookla.pcap.out
index d49e5e26d..031500eec 100644
--- a/tests/result/ookla.pcap.out
+++ b/tests/result/ookla.pcap.out
@@ -1,4 +1,4 @@
 Ookla	5086	4689745	2
 
 	1	TCP 192.168.1.7:51215 <-> 46.44.253.187:8080 [proto: 191/Ookla][cat: Network/14][2202 pkts/1032520 bytes <-> 2864 pkts/3652905 bytes][Goodput ratio: 85.6/94.8][40.14 sec][bytes ratio: -0.559 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14.8/11.5 2086/2226 59.5/54.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 468.9/1275.5 1506/1506 642.3/526.9][PLAIN TEXT ( 6HELLO 2.4 2016)]
-	2	TCP 192.168.1.7:51207 <-> 46.44.253.187:80 [proto: 191/Ookla][cat: Network/14][12 pkts/2238 bytes <-> 8 pkts/2082 bytes][Goodput ratio: 64.0/74.2][5.33 sec][bytes ratio: 0.036 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 527.8/46.8 5005/84 1492.6/27.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 186.5/260.2 430/523 168.4/194.4][PLAIN TEXT (GET /crossdomain.xml HTTP/1.1)]
+	2	TCP 192.168.1.7:51207 <-> 46.44.253.187:80 [proto: 7.191/HTTP.Ookla][cat: Network/14][12 pkts/2238 bytes <-> 8 pkts/2082 bytes][Goodput ratio: 64.0/74.2][5.33 sec][bytes ratio: 0.036 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 527.8/46.8 5005/84 1492.6/27.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 186.5/260.2 430/523 168.4/194.4][PLAIN TEXT (GET /crossdomain.xml HTTP/1.1)]
diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out
index 45d402e2a..db6d78183 100644
--- a/tests/result/skype.pcap.out
+++ b/tests/result/skype.pcap.out
@@ -1,7 +1,6 @@
 Unknown	753	81587	37
 DNS	2	267	1
 MDNS	8	1736	2
-NTP	2	180	1
 SSDP	101	38156	6
 SkypeCall	152	10704	144
 ICMP	8	656	1
@@ -9,10 +8,9 @@ IGMP	5	258	4
 TLS	96	8876	7
 Dropbox	38	17948	5
 Skype	1796	451121	80
-Apple	3	168	1
+Apple	17	2225	3
 AppleiCloud	88	20520	2
 Spotify	5	430	1
-ApplePush	12	1877	1
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
@@ -33,7 +31,7 @@ JA3 Host Stats:
 	12	UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][120.16 sec][PLAIN TEXT ( 3375359593)]
 	13	UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][120.15 sec][PLAIN TEXT ( 3375359593)]
 	14	TCP 192.168.1.34:50090 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/2140 bytes <-> 3 pkts/200 bytes][Goodput ratio: 62.4/0.0][20.12 sec][bytes ratio: 0.829 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1686.5/0.0 6249/0 2226.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 178.3/66.7 233/74 77.4/5.7][TLSv1][Client: apps.skype.com]
-	15	TCP 17.143.160.22:5223 <-> 192.168.1.34:49447 [proto: 238/ApplePush][cat: Cloud/13][6 pkts/1211 bytes <-> 6 pkts/666 bytes][Goodput ratio: 67.2/40.5][66.95 sec][bytes ratio: 0.290 (Upload)][IAT c2s/s2c min/avg/max/stddev: 228/1 16680.0/16680.0 43974/44201 18098.6/18356.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 201.8/111.0 471/156 151.4/45.0]
+	15	TCP 17.143.160.22:5223 <-> 192.168.1.34:49447 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][6 pkts/1211 bytes <-> 6 pkts/666 bytes][Goodput ratio: 67.2/40.5][66.95 sec][bytes ratio: 0.290 (Upload)][IAT c2s/s2c min/avg/max/stddev: 228/1 16680.0/16680.0 43974/44201 18098.6/18356.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 201.8/111.0 471/156 151.4/45.0]
 	16	TCP 192.168.1.34:50091 <-> 157.55.235.146:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][13 pkts/1554 bytes <-> 3 pkts/200 bytes][Goodput ratio: 44.0/0.0][29.28 sec][bytes ratio: 0.772 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/73 2359.7/73.0 8785/73 2805.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 119.5/66.7 138/74 27.3/5.7]
 	17	TCP 192.168.1.34:50039 <-> 213.199.179.175:443 [proto: 91/TLS][cat: Web/5][13 pkts/1392 bytes <-> 3 pkts/200 bytes][Goodput ratio: 37.5/0.0][25.19 sec][bytes ratio: 0.749 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/66 2027.6/66.0 7535/66 2315.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 107.1/66.7 138/74 21.3/5.7]
 	18	TCP 192.168.1.34:50101 <-> 157.55.235.176:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1305 bytes <-> 3 pkts/285 bytes][Goodput ratio: 39.3/27.6][17.34 sec][bytes ratio: 0.642 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/77 1416.3/77.0 5596/77 1925.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 108.8/95.0 138/145 30.7/35.5]
@@ -124,7 +122,7 @@ JA3 Host Stats:
 	103	UDP 192.168.1.34:13021 -> 176.26.55.167:63773 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][5 pkts/300 bytes -> 0 pkts/0 bytes][Goodput ratio: 29.9/0.0][20.13 sec]
 	104	UDP 192.168.1.34:58681 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/101 bytes <-> 1 pkts/166 bytes][Goodput ratio: 57.8/74.3][0.07 sec][Host: db3msgr5011709.gateway.messenger.live.com][PLAIN TEXT (MSGR5011709)]
 	105	UDP 192.168.1.34:62454 <-> 192.168.1.1:53 [proto: 5.143/DNS.AppleiCloud][cat: Web/5][1 pkts/101 bytes <-> 1 pkts/133 bytes][Goodput ratio: 57.8/67.9][0.05 sec][Host: p05-keyvalueservice.icloud.com.akadns.net][PLAIN TEXT (valueservice)]
-	106	UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 52.7/52.7][0.05 sec]
+	106	UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9.140/NTP.Apple][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 52.7/52.7][0.05 sec]
 	107	UDP 192.168.1.34:51879 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48.2/56.6][0.05 sec][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)]
 	108	UDP 192.168.1.34:63321 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48.2/56.6][0.05 sec][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)]
 	109	UDP 192.168.1.34:64085 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48.2/56.6][0.06 sec][Host: e7768.b.akamaiedge.net][PLAIN TEXT (akamaiedge)]
diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
index 962935d87..01e22efd3 100644
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@@ -9,8 +9,7 @@ IGMP	4	226	4
 TLS	79	7742	6
 Dropbox	16	7342	5
 Skype	1185	331827	60
-Apple	76	19581	1
-ApplePush	8	1118	1
+Apple	84	20699	2
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
@@ -57,7 +56,7 @@ JA3 Host Stats:
 	38	TCP 192.168.1.34:51267 <-> 111.221.74.18:40025 [proto: 125/Skype][cat: VoIP/10][10 pkts/785 bytes <-> 4 pkts/378 bytes][Goodput ratio: 15.9/28.0][17.94 sec][bytes ratio: 0.350 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1703.2/147.5 4607/294 1700.3/146.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 78.5/94.5 159/164 27.6/40.3]
 	39	TCP 192.168.1.34:51232 <-> 157.56.52.28:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/872 bytes <-> 3 pkts/285 bytes][Goodput ratio: 24.3/27.6][18.79 sec][bytes ratio: 0.507 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/199 2007.5/199.0 5293/199 1964.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 87.2/95.0 138/145 22.1/35.5]
 	40	UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][cat: System/18][6 pkts/958 bytes <-> 2 pkts/184 bytes][Goodput ratio: 73.6/54.1][1.27 sec][Host: __msbrowse__][bytes ratio: 0.678 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1258 253.0/1258.0 1243/1258 495.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 104/92 159.7/92.0 271/92 78.7/0.0][PLAIN TEXT (FPFPENFDECFCEPFHFDEFFPFPACAB)]
-	41	TCP 17.143.160.149:5223 <-> 192.168.1.34:50407 [proto: 238/ApplePush][cat: Cloud/13][4 pkts/674 bytes <-> 4 pkts/444 bytes][Goodput ratio: 60.7/40.4][10.70 sec][bytes ratio: 0.206 (Upload)][IAT c2s/s2c min/avg/max/stddev: 215/1 3565.3/3493.7 10265/10480 4737.4/4940.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 168.5/111.0 279/156 102.7/45.0]
+	41	TCP 17.143.160.149:5223 <-> 192.168.1.34:50407 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][4 pkts/674 bytes <-> 4 pkts/444 bytes][Goodput ratio: 60.7/40.4][10.70 sec][bytes ratio: 0.206 (Upload)][IAT c2s/s2c min/avg/max/stddev: 215/1 3565.3/3493.7 10265/10480 4737.4/4940.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 168.5/111.0 279/156 102.7/45.0]
 	42	UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.07 sec][PLAIN TEXT ( 1573195445)]
 	43	UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.07 sec][PLAIN TEXT ( 1573195445)]
 	44	UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.05 sec][PLAIN TEXT ( 3375359593)]
diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out
index 2da823c1b..e3aceafa2 100644
--- a/tests/result/whatsapp_login_call.pcap.out
+++ b/tests/result/whatsapp_login_call.pcap.out
@@ -5,10 +5,9 @@ WhatsAppCall	803	102942	20
 ICMP	10	700	1
 TLS	8	589	2
 Dropbox	4	2176	1
-Apple	190	50263	21
+Apple	212	56189	22
 WhatsApp	182	25154	2
 Spotify	3	258	1
-ApplePush	22	5926	1
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
@@ -21,7 +20,7 @@ JA3 Host Stats:
 	4	TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][Goodput ratio: 86.5/80.2][34.28 sec][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 121.7/107.9 1665/1391 339.6/319.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 405.9/275.5 1494/1002 488.5/347.9][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5]
 	5	TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][Goodput ratio: 84.8/90.3][32.84 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1908.9/36.8 30435/294 7133.2/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364.0/563.3 1494/1494 552.5/634.4][TLSv1.2][Client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][Server: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Apple Inc.][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2014-03-08 01:53:04 - 2029-03-08 01:53:04][Cipher: TLS_RSA_WITH_RC4_128_MD5]
 	6	TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][Goodput ratio: 84.7/76.8][0.94 sec][bytes ratio: 0.271 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 35.8/42.0 225/228 76.0/80.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 362.7/235.9 1494/1002 464.1/321.5][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5]
-	7	TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238/ApplePush][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][Goodput ratio: 84.6/39.2][125.45 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12859.6/12856.5 101116/101113 33358.6/33358.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)]
+	7	TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][Goodput ratio: 84.6/39.2][125.45 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12859.6/12856.5 101116/101113 33358.6/33358.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)]
 	8	UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][Goodput ratio: 78.4/79.7][29.18 sec][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2192.2/2121.8 18656/18299 5822.2/5720.0][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5]
 	9	UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][59.94 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1255/0 6659.6/0.0 9061/0 2879.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46]
 	10	UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][Goodput ratio: 79.4/59.8][14.33 sec][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1922.9/792.0 6986/6468 2906.0/2008.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8]
diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out
index 6d642ec2b..59a9dce17 100644
--- a/tests/result/whatsapp_login_chat.pcap.out
+++ b/tests/result/whatsapp_login_chat.pcap.out
@@ -1,14 +1,13 @@
 MDNS	2	202	2
 DHCP	6	2052	1
 Dropbox	2	1088	1
-Apple	44	21371	1
+Apple	50	23466	2
 WhatsApp	32	3243	2
 Spotify	1	86	1
-ApplePush	6	2095	1
 
 	1	TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][24 pkts/15117 bytes <-> 20 pkts/6254 bytes][Goodput ratio: 91.4/82.7][3.89 sec][bytes ratio: 0.415 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 179.5/27.0 2803/212 622.4/56.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 629.9/312.7 1494/1002 544.4/369.6][PLAIN TEXT (BjmkLnl)]
 	2	TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][cat: Chat/9][17 pkts/1794 bytes <-> 13 pkts/1169 bytes][Goodput ratio: 36.8/25.9][19.72 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/10 1370.8/2065.9 10513/10479 2987.9/3556.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.5/89.9 267/144 67.5/22.2][PLAIN TEXT (iPhone)]
-	3	TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238/ApplePush][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes][Goodput ratio: 81.1/0.0][20.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 659/0 4000.2/0.0 10199/0 3475.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 220/0 349.2/0.0 375/0 57.8/0.0]
+	3	TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes][Goodput ratio: 81.1/0.0][20.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 659/0 4000.2/0.0 10199/0 3475.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 220/0 349.2/0.0 375/0 57.8/0.0]
 	4	UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][6 pkts/2052 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][25.29 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1983/0 5058.0/0.0 8569/0 2765.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46]
 	5	UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.04 sec][PLAIN TEXT ( 3375359593)]
 	6	UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e12.whatsapp.net][PLAIN TEXT (whatsapp)]
diff --git a/tests/result/zoom.pcap.out b/tests/result/zoom.pcap.out
index df91995f4..a006ae7a6 100644
--- a/tests/result/zoom.pcap.out
+++ b/tests/result/zoom.pcap.out
@@ -5,11 +5,11 @@ SSDP	1	168	1
 DHCP	1	321	1
 ntop	20	4265	1
 IMAPS	2	226	1
-ICMP	3	210	2
+ICMP	1	70	1
 TLS	2	114	1
 Google	26	8851	3
 Spotify	1	86	1
-Zoom	635	354005	19
+Zoom	637	354145	20
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
@@ -44,7 +44,7 @@ JA3 Host Stats:
 	26	UDP 192.168.1.117:57025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][1 pkts/168 bytes -> 0 pkts/0 bytes][Goodput ratio: 74.6/0.0][< 1 sec][PLAIN TEXT (SEARCH )]
 	27	UDP 192.168.1.117:62988 <-> 192.168.1.1:53 [proto: 5.189/DNS.Zoom][cat: Video/26][1 pkts/72 bytes <-> 1 pkts/88 bytes][Goodput ratio: 41.1/51.7][0.04 sec][Host: www3.zoom.us]
 	28	UDP 192.168.1.117:64352 <-> 192.168.1.1:53 [proto: 5.189/DNS.Zoom][cat: Video/26][1 pkts/71 bytes <-> 1 pkts/87 bytes][Goodput ratio: 40.3/51.1][0.04 sec][Host: log.zoom.us]
-	29	ICMP 192.168.1.117:0 -> 162.255.38.14:0 [proto: 81/ICMP][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.7/0.0][0.01 sec]
+	29	ICMP 192.168.1.117:0 -> 162.255.38.14:0 [proto: 81.189/ICMP.Zoom][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.7/0.0][0.01 sec]
 	30	TCP 192.168.1.117:54798 <-> 13.225.84.182:443 [proto: 91/TLS][cat: Web/5][1 pkts/54 bytes <-> 1 pkts/60 bytes][Goodput ratio: 0.0/0.0][0.04 sec]
 	31	UDP 192.168.1.117:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/87 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][< 1 sec][PLAIN TEXT (spotify)]
 	32	UDP 192.168.1.117:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][cat: Music/25][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 50.6/0.0][< 1 sec][PLAIN TEXT (SpotUdp)]